Grant permissions on elastic container instances to RAM users - Elastic Container Instance

By default, you can use an Alibaba Cloud account to manage Elastic Container Instance resources. However, when a Resource Access Management (RAM) user is created for an Alibaba Cloud account, the RAM user does not have permissions to manage the resources within the Alibaba Cloud account. You must grant the required permissions to the RAM user before you can manage Elastic Container Instance resources as the RAM user. This topic describes how to grant permissions on Elastic Container Instance resources to a RAM user.

Prerequisites

A RAM user is created. For information about how to create a RAM user, see Create a RAM user.

Permission description

You can attach a permission policy to a RAM user to grant specific permissions to the RAM user. The following table describes the policies that are related to Elastic Container Instance resources.

Policy	Description
AliyunECIReadOnlyAccess	Grants read-only permissions on Elastic Container Instance resources. This is a default system policy and contains the following permissions: eci:Describe: the permissions to query Elastic Container Instance resources eci:List: the permissions to query Elastic Container Instance resources ecs:DescribeSecurityGroups: the permissions to query security groups vpc:DescribeVSwitches: the permissions to query vSwitches vpc:DescribeVpcs: the permissions to query virtual private clouds (VPCs)
AliyunECIFullAccess	Grants permissions to manage Elastic Container Instance resources. This is a default system policy and contains the following permissions: eci: all permissions to manage Elastic Container Instance resources ecs:DescribeSecurityGroups: the permissions to query security groups vpc:DescribeVSwitches: the permissions to query vSwitches vpc:DescribeVpcs: the permissions to query VPCs vpc:DescribeEipAddresses: the permissions to query elastic IP addresses (EIPs)
Other permissions to perform operations in the Elastic Container Instance console	If you want the RAM user to perform operations in the Elastic Container Instance console, you must grant the RAM the following permissions in addition to the default permissions granted by the AliyunECIFullAccess policy: ram:ListRoles: the permissions to query RAM roles of instances nas:DescribeFileSystems: the permissions to query network-attached storage (NAS) file systems oss:ListBuckets: the permissions to query Object Storage Service (OSS) buckets vpc:DescribeCommonBandwidthPackages: the permissions to query EIP bandwidth plans cr:GetRepoList: the permissions to query image repositories cr:GetRepoTags: the permissions to query tags of images in a repository cr:GetImageManifest: the permissions to query manifest information about an image cr:SearchRepo: the permissions to search for image repositories

Procedure

Log on to the RAM console by using your Alibaba Cloud account.

If you want to grant to the RAM user the permissions to manage Elastic Container Instance resources in the Elastic Container Instance console, create a custom policy.

In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

Click the JSON tab, copy the following script to the code editor, and then click Next to edit policy information.

{
    "Statement": [
        {
            "Action": "ram:ListRoles",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "nas:DescribeFileSystems",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "oss:ListBuckets",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "vpc:DescribeCommonBandwidthPackages",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cr:GetRepoList",
                "cr:GetRepoTags",
                "cr:GetImageManifest",
                "cr:SearchRepo"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

Enter a policy name in the Name field and click OK.

Grant permissions to the RAM user based on your needs.

In the left-side navigation pane, choose Identities > Users.
Find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.

In the panel that appears, configure parameters.

The following table describes the parameters.

Parameter	Description
Resource Scope	The authorization scope. Account: The permissions apply to the current Alibaba Cloud account. ResourceGroup: The permissions apply to the specified resource group.
Principal	The RAM user to which you want to grant permissions. The RAM user that you selected is automatically populated in the Principal field. You can also specify another RAM user.
Policy	The policies that you want to attach to the RAM user. Select policies that fit your needs. If you want the RAM user only to view Elastic Container Instance resources, select the AliyunECIReadOnlyAccess system policy. If you want the RAM user to manage Elastic Container Instance resources by calling API operations, select the AliyunECIFullAccess system policy. If you want the RAM user to manage Elastic Container Instance resources by using the Elastic Container Instance console, select the AliyunECIFullAccess system policy and the custom policy that you created in Step 2.

Click Grant permissions and follow the on-screen instructions to complete subsequent operations.

References

If you want to control the permissions of RAM users on Elastic Container Instance resources, you can use resource groups and labels to manage the RAM users by group and by permission. For more information, see: